Reporting

When a client purchases a penetration test, the real return on their investment is the report. Without the report, the pentest is pointless. The report must be comprehensive and well-crafted, and typically includes two primary sections:

  • Executive Summary: A non-technical overview aimed at management.

  • Detailed Report: An in-depth technical record of the engagement.

Considering the importance of reporting, it is essential to be accurate and comprehensive. Detailed, step-by-step instructions are often called for, and it is common practice to include screenshots for each step of the attack simulation. Some hackers use screen recording software to record an entire pentest, then go back and grab screenshots from the video, so as to ensure that nothing is lost. This can be especially helpful if you happened to forget to include a screenshot of a vital step in the process. Rather than having to re-hack the target, you can simply take a screenshot from the video.

Such a video can also help the hacker augment their memory when writing the technical report. With so many things happening in a pentest, it’s easy to get overwhelmed by all the data. The video recording allows them to see their process from start to finish, even if they forgot how they performed a specific attack.

But screenshots and video recordings aren’t enough; during the pentest itself, it’s necessary to keep track of a great deal of data. For this, most pentesters take extensive notes throughout the pentest process. Note-taking apps like Joplin and CherryTree are commonly-used for their organizational structure.

One of the best ways to not only keep yourself organized during a pentest, but to simplify the report-writing process, is to write the report throughout the test. Many people wait until after a pentest is complete to comb through their notes and screenshots and compile their report. However, this is a sub-optimal approach, requiring a great deal of effort all at once, and all at the tail end of a thorough penetration test. By writing the report throughout the pentest, you reinforce your understanding of the pentest-thus-far, which can help you keep your thoughts straight as you proceed. On top of that, you save yourself a great deal of effort at the end of the pentest; instead of writing a report from scratch, you need only revise the report you’ve already written.

Note

If you’re curious to learn more about how a pentest report is written, check out this curated list of public pentesting reports. Here you can read all the real, professionally-produced pentest reports you could possibly ever want.